Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Access Control and accounting with Radius

Locked
 
kmullen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Thu Dec 30, 2004 9:48 pm

Access Control and accounting with Radius

Sat Dec 17, 2005 3:25 am

HELP!

I am so tired of dealing with "wired" network people that don't think the following is possible:

Wireless client links to AP
Traffic passess to MT in Router mode
MT uses MAC or IP to check Radius for access.
if authorized access granted
if unrecognized forwarded to info page for obtaining access.
if blocked for non-payment redirected to page explaining reason and #
If blocked for abuse or virus redirected to page explaining reason and #

I want to use Radius so I can shut off clients for multiple locations from one central database.

All access points are capable of querying Radius servers using MAC address.

I need serious, DETAILED help.

:!: :?:
Top
 
kmullen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Thu Dec 30, 2004 9:48 pm

What no help out there!

Tue Dec 20, 2005 11:50 pm

:roll:

Lot's of people looking but no answers. I know this is possible because I know of one ISP using MT to do this.

No one willing to help? :?:
Top
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Re: Access Control and accounting with Radius

Wed Dec 21, 2005 11:28 am

Hi - I don't currently have the time to put up a detailed instruction here (apart from that that' a thing I normally make money with...). Some hints:

- Use Hotspot on the MikroTik for login checking etc - in combination with RADIUS server (this has been a topic in these forums several times).
- Then use RADIUS to put the non-paying and virus-infected users into different address pools.
- Create HTTP-redirection rules for all users in the "bad" pools, i.e. a rule which redirects all traffic from clients in the "non-paying" pool to port 80 to a special webserver you run presenting your "please pay your bill"-page.

Regards,
Christian
Top
 
kmullen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Thu Dec 30, 2004 9:48 pm

Thanks

Thu Dec 22, 2005 4:13 am

CMIT, I fully understand that NO ONE should work for free. If this is your line of business I am willing to pay for your work.

From your tips I'm assuming you think I am using DHCP. We statically assign IP's based on the MAC of the clients CPE.

Also, each tower has a standalone MT with no wlan cards. Will this still work as a hotspot controller?
Top
 
kmullen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Thu Dec 30, 2004 9:48 pm

And . . .

Thu Dec 22, 2005 4:17 am

Our customers don't use a login. So will the hotspot controller use the MAC address of the radio as the username / password?
Top
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Thu Dec 22, 2005 10:09 am

I'm not sure what you mean with the "standalone MT with no wireless cards".
Apart from that: You could use HotSpot and have it authenticate against a RADIUS server using the clients MAC address as username. So your scenario would be possible. One thing you have to ensure in such a scenario is that you really get the clients' MAC address through to the hotspot. Depending on config/network setup you could end up not seeing the real source MAC address of the customer.

Also - I'm sure you have thought of this - a MAC address could be forged quite easily...

Best regards,
Christian Meis
Top
 
kmullen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Thu Dec 30, 2004 9:48 pm

Forgery!?!

Thu Dec 22, 2005 6:32 pm

Yes we did think of that, but we haven't had much of a problem. If we use PPoE then all customers behind a residential router would have access when one authenticates. Right?
Top
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Re: Forgery!?!

Fri Dec 23, 2005 10:21 am

If we use PPoE then all customers behind a residential router would have access when one authenticates. Right?
Yeah - there would be no way to distinguish between those then.

Best regards,
Christian Meis
Top
 
User avatar
YazzY
Member Candidate
Member Candidate
Posts: 140
Joined: Fri May 28, 2004 3:26 pm
Location: Norway, Østfold
Contact:
Contact YazzY

Fri Dec 23, 2005 11:03 am

Create one IP pool for paying users, one for non-paying and one for blocked ones.
Create three groups, each with different pool attribute. You can even set up different speed rate for each of the groups (non paying users get 32kbit traffic rate)
Let them all authenticate and get IPs.
Set up firewalling to redirect tcp 80 requests from the network of the naughty users to your website.
Users with no account can get IP via DHCP and get all their traffic forwarded to your website of choice as if you were running hotspot.

Detailed help is avaliable if you check out http://www.mikrotik.com/consultants.html
:)

Cheers,
Marcin Jessa.
Top
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Fri Dec 23, 2005 11:09 am

(Off-topic)
Hey Marcin - read your e-mail ;)

Best regards,
Christian Meis
Top
Locked
  4. RouterOS
  5. Wireless Networking